• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Security Tools Foss
 

Security Tools Foss

on

  • 857 views

FOSS Aalborg presentation

FOSS Aalborg presentation

Statistics

Views

Total Views
857
Views on SlideShare
850
Embed Views
7

Actions

Likes
0
Downloads
12
Comments
0

2 Embeds 7

https://www.linkedin.com 5
http://www.linkedin.com 2

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Security Tools Foss Security Tools Foss Presentation Transcript

    • Velkommen til Security Tools in Software Development FOSS Aalborg Henrik Lund Kramshøj hlk@security6.net http://www.security6.net Slides are available as PDF and are in Danish only, sorry c copyright 2009 Security6.net, Henrik Lund Kramshøj 1
    • ˚ Formal Class Name Attribute Java Note Attribute Subclass C# C Package Ruby Class Name Class Name qualifier PHP T Class Groovy Attribute Component Attribute Operation Python Operation Lære om værktøjer der kan forbedre sikkerhed for produktionssystemer c copyright 2009 Security6.net, Henrik Lund Kramshøj 2
    • Internet - Here be dragons c copyright 2009 Security6.net, Henrik Lund Kramshøj 3
    • Matrix style hacking anno 2003 c copyright 2009 Security6.net, Henrik Lund Kramshøj 4
    • Trinity breaking in http://nmap.org/movies.html Meget realistisk http://www.youtube.com/watch?v=Zy5_gYu_isg c copyright 2009 Security6.net, Henrik Lund Kramshøj 5
    • buffer overflows et C problem ˚ Et buffer overflow er det der sker nar man skriver flere data end der er afsat plads til ˚ ˚ i en buffer, et dataomrade. Typisk vil programmet ga ned, men i visse tilfælde kan en angriber overskrive returadresser for funktionskald og overtage kontrollen. Stack protection er et udtryk for de systemer der ved hjælp af operativsystemer, pro- grambiblioteker og lign. beskytter stakken med returadresser og andre variable mod overskrivning gennem buffer overflows. StackGuard og Propolice er nogle af de mest kendte. c copyright 2009 Security6.net, Henrik Lund Kramshøj 6
    • Buffer og stacks Variables Stack buf: buffer 3 Program Function 1) Read data 2) Process data strcpy () 3) Continue { copy data return } main(int argc, char **argv) { char buf[200]; strcpy(buf, argv[1]); printf(quot;%snquot;,buf); } c copyright 2009 Security6.net, Henrik Lund Kramshøj 7
    • Overflow - segmentation fault 1000 Variables Stack buf: buffer overflow /bin/sh .... 1000 1000 1000 1000 3 Program Function 1) Read data 2) Process data strcpy () 3) Continue { copy data return } Bad function overwrites return value! Control return address Run shellcode from buffer, or from other place c copyright 2009 Security6.net, Henrik Lund Kramshøj 8
    • Exploits $buffer = quot;quot;; $null = quot;x00quot;; $nop = quot;x90quot;; $nopsize = 1; $len = 201; // what is needed to overflow, maybe 201, maybe more! $the_shell_pointer = 0xdeadbeef; // address where shellcode is # Fill buffer for ($i = 1; $i < $len;$i += $nopsize) { $buffer .= $nop; } $address = pack(’l’, $the_shell_pointer); $buffer .= $address; exec quot;$programquot;, quot;$bufferquot;; Demo exploit in Perl c copyright 2009 Security6.net, Henrik Lund Kramshøj 9
    • Hvordan finder man buffer overflow, og andre fejl Black box testing Closed source reverse engineering White box testing Open source betyder man kan læse og analysere koden Source code review - automatisk eller manuelt Fejl kan findes ved at prøve sig frem - fuzzing Exploits virker typisk mod specifikke versioner af software c copyright 2009 Security6.net, Henrik Lund Kramshøj 10
    • Forudsætninger Bemærk: alle angreb har forudsætninger for at virke Et angreb mod Telnet virker kun hvis du bruger Telnet Et angreb mod Apache HTTPD virker ikke mod Microsoft IIS Kan du bryde kæden af forudsætninger har du vundet! c copyright 2009 Security6.net, Henrik Lund Kramshøj 11
    • ˚ Eksempler pa forudsætninger Computeren skal være tændt ˚ Funktionen der misbruges skal være slaet til Executable stack Executable heap Fejl i programmet alle programmer har fejl c copyright 2009 Security6.net, Henrik Lund Kramshøj 12
    • Software udvikling er nemt Software udvikling er nemt Du skal blot skrive perfekt kode første gang :-) Sikkerhed er svært Det er svært at skrive perfekt kode, om ikke umuligt ˚ Sa nu vil vi snakke om værktøjer til at forbedre situationen c copyright 2009 Security6.net, Henrik Lund Kramshøj 13
    • Part 1 Low hanging fruits - easy Højere kvalitet er mere sikkert c copyright 2009 Security6.net, Henrik Lund Kramshøj 14
    • Coding standards - style This file specifies the preferred style for kernel source files in the OpenBSD source tree. It is also a guide for preferred user land code style. These guidelines should be followed for all new code. In general, code can be considered “new code” when it makes up about 50more of the file(s) involved. ... Use queue(3) macros rather than rolling your own lists, whenever possible. Thus, the previous example would be better written: #include <sys/queue.h> struct foo { LIST_ENTRY(foo) link; /* Queue macro glue for foo lists */ struct mumble amumble; /* Comment for mumble */ int bar; }; LIST_HEAD(, foo) foohead; /* Head of global foo list */ OpenBSD style(9) c copyright 2009 Security6.net, Henrik Lund Kramshøj 15
    • Coding standards functions The following copies as many characters from input to buf as will fit and NUL terminates the result. Because strncpy() does not guarantee to NUL terminate the string itself, it must be done by hand. char buf[BUFSIZ]; (void)strncpy(buf, input, sizeof(buf) - 1); buf[sizeof(buf) - 1] = ’0’; Note that strlcpy(3) is a better choice for this kind of operation. The equivalent using strlcpy(3) is simply: (void)strlcpy(buf, input, sizeof(buf)); OpenBSD strcpy(9) c copyright 2009 Security6.net, Henrik Lund Kramshøj 16
    • Compiler warnings - gcc -Wall $ gcc -o demo demo.c demo.c: In function main: demo.c:4: warning: incompatible implicit declaration of built-in function strcpy $ gcc -Wall -o demo demo.c demo.c:2: warning: return type defaults to int demo.c: In function main: demo.c:4: warning: implicit declaration of function strcpy demo.c:4: warning: incompatible implicit declaration of built-in function strcpy demo.c:5: warning: control reaches end of non-void function Easy to do! c copyright 2009 Security6.net, Henrik Lund Kramshøj 17
    • No warnings = no errors? $ cat demo2.c #include <strings.h> int main(int argc, char **argv) { char buf[200]; strcpy(buf, argv[1]); return 0; } $ gcc -Wall -o demo2 demo2.c Der er stadig alvorlige fejl! c copyright 2009 Security6.net, Henrik Lund Kramshøj 18
    • Version control Versionsstyring og configuration management har mange fordele ˚ Hvem ændrede, hvornar og hvad Hvorfor blev der foretaget en ændring Med versionsstyring kan pre-commit hooks implementeres c copyright 2009 Security6.net, Henrik Lund Kramshøj 19
    • Subversion sample hooks scripts pre-commit - check • case-insensitive.py • check-mime-type.pl • commit-access-control.pl • commit-block-joke.py • detect-merge-conflicts.sh • enforcer • log-police.py • pre-commit-check.py • svnperms.py • verify-po.py http://subversion.tigris.org/tools_contrib.html http://svn.collab.net/repos/svn/trunk/contrib/hook-scripts/ c copyright 2009 Security6.net, Henrik Lund Kramshøj 20
    • Eksempel Enforcer In a Java project I work on, we use log4j extensively. Use of System.out.println() bypasses the control that we get from log4j, so we would like to discourage the addition of println calls in our code. We want to deny any commits that add a println into the code. The world being full of exceptions, we do need a way to allow some uses of println, so we will allow it if the line of code that calls println ends in a comment that says it is ok: System.out.println(quot;No log4j herequot;); // (authorized) http://svn.collab.net/repos/svn/trunk/contrib/hook-scripts/enforcer/enforcer c copyright 2009 Security6.net, Henrik Lund Kramshøj 21
    • Eksempel verify-po.py #!/usr/bin/env python quot;quot;quot;This is a pre-commit hook that checks whether the contents of PO files committed to the repository are encoded in UTF-8. quot;quot;quot; http://svn.collab.net/repos/svn/trunk/tools/hook-scripts/verify-po.py c copyright 2009 Security6.net, Henrik Lund Kramshøj 22
    • Part 2 Design for security - more work Sikkerhed er kun effektivt hvis det tænkes ind i design c copyright 2009 Security6.net, Henrik Lund Kramshøj 23
    • Secure Coding begynder med design Secure Coding: Principles and Practices af Mark G. Graff, Kenneth R. Van Wyk 2003 Architecture/design while you are thinking about the application Implementation while you are writing the application Operations After the application is in production Ca. 200 sider, men tætpakket med information. c copyright 2009 Security6.net, Henrik Lund Kramshøj 24
    • Sins in Software Security 19 Deadly Sins of Software Security af Michael Howard, David Leblanc, John Viega 2005 Obligatorisk læsning for alle udviklere ˚ Forfatterne har skrevet mange gode bøger bade før og efter Denne bog er præcis og giver overblik Ca. 270 sider, let at læse. Buffer Overruns, Format String Problems, Integer Overflows, SQL Injection, Command Injection, Failing to Handle Errors, Cross-Site Scripting, Failing to Protect Network Traf- fic, Magic URLs Hidden Form Fields, Improper Use of SSL and TLS, Weak Password- Based Systems, Failing to Store and Protect Data Securely, Information Leakage, Im- proper File Access, Trusting Network Name Resolution, Race Conditions, Unauthenti- cated Key Exchange, Cryptographically Strong Random Numbers, Poor Usability c copyright 2009 Security6.net, Henrik Lund Kramshøj 25
    • Part 3 Testing - more work now, less work in the long run Test1 Test2 Test3 Test4 Højere kvalitet er mere sikkert c copyright 2009 Security6.net, Henrik Lund Kramshøj 26
    • Hvorfor teste Finde fejl under udviklingen af software Sikre at software overholder krav til kvalitet Finde fejl senere! ˚ Undga at gamle fejl optræder igen! Test ofte c copyright 2009 Security6.net, Henrik Lund Kramshøj 27
    • Unit testing - laveste niveau public class TestAdder { public void testSum() { Adder adder = new AdderImpl(); assert(adder.add(1, 1) == 2); assert(adder.add(1, 2) == 3); assert(adder.add(2, 2) == 4); assert(adder.add(0, 0) == 0); assert(adder.add(-1, -2) == -3); assert(adder.add(-1, 1) == 0); assert(adder.add(1234, 988) == 2222); } } Kan bruges til at teste enkelte dele af en applikation Eksempel fra http://en.wikipedia.org/wiki/Unit_testing c copyright 2009 Security6.net, Henrik Lund Kramshøj 28
    • Hudson and friends Continous building and testing Finder løbende fejl - hurtig feedback c copyright 2009 Security6.net, Henrik Lund Kramshøj 29
    • Part 4 Analysis Brug al den hjælp du kan til at finde fejl c copyright 2009 Security6.net, Henrik Lund Kramshøj 30
    • Typer af analyse statisk analyse finder fejl uden at køre programmet typisk findes konstruktioner som indeholder fejl, brug af forkerte funktioner m.v. dynamisk analyse findes ved at køre programmet, typisk i et specielt miljø c copyright 2009 Security6.net, Henrik Lund Kramshøj 31
    • Statiske analyseværktøjer Flawfinder http://www.dwheeler.com/flawfinder/ RATS Rough Auditing Tool for Security, C, C++, Perl, PHP and Python PMD static ruleset based Java http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis c copyright 2009 Security6.net, Henrik Lund Kramshøj 32
    • A Fool with a Tool is still a Fool 1. Run tool 2. Fix problems 3. Rinse repeat Fixing problems? char tmp[256]; /* Flawfinder: ignore */ strcpy(tmp, pScreenSize); /* Flawfinder: ignore */ Eksempel fra http://www.dwheeler.com/flawfinder/ c copyright 2009 Security6.net, Henrik Lund Kramshøj 33
    • PMD static ruleset based Java source code analyzer http://pmd.sourceforge.net/ Spøjs note: 2009-02-08 PMD 4.2.5: bug fixes, new rule, new Android ruleset c copyright 2009 Security6.net, Henrik Lund Kramshøj 34
    • Hard to do - manual analysis Hvorfor ikke bare programmere sikkert? Der er mange ressourcer tilgængelige: Websites: Secure Programming for Linux and Unix HOWTO http://www.dwheeler.com/secure-programs/ Bøger: 19 Deadly Sins of Software Security: Programming Flaws and How to Fix Them Michael Howard, David LeBlanc, John Viega + deres andre bøger Det er for svært, tager for lang tid! c copyright 2009 Security6.net, Henrik Lund Kramshøj 35
    • Feedback Sørg for feedback i jeres processer ˚ ˚ ˚ Maske nar I kun til denne del, sa sørg for at erfaringer opsamles for hvert projekt ˚ Læs ressourcer og lav design sa det bliver nemmere at sikre ˚ Fa antagelser = færre fejl c copyright 2009 Security6.net, Henrik Lund Kramshøj 36
    • Dynamic analysis ˚ compile time vs. at run time nogle fejl kan ikke findes pa compile-time ˚ ˚ Er du doven sa oversæt og kør programmet pa OpenBSD ;-) c copyright 2009 Security6.net, Henrik Lund Kramshøj 37
    • Part 5 Break it Use fuzzers, hackertools, improve security by breaking it c copyright 2009 Security6.net, Henrik Lund Kramshøj 38
    • Simple fuzzer $ for i in 10 20 30 40 50 >> do >> ./demo ‘perl -e quot;print ’A’x$iquot;‘ >> done AAAAAAAAAA AAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Memory fault AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Memory fault AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Memory fault Memory fault/segmentation fault - juicy! c copyright 2009 Security6.net, Henrik Lund Kramshøj 39
    • Fuzz Revisited Fuzz Revisited: A Re-examination of the Reliability of UNIX Utilities and Services We have tested the reliability of a large collection of basic UNIX utility programs, X-Window applications and servers, and networkservices. We used a simple testing method of subjecting these programs to a random inputstream. ... The result of our testing is that we can crash (with coredump) or hang (infiniteloop) over 40% (in the worst case) of the basic programs and over 25% of the X-Window applications. ... We also tested how utility programs checked their return codes from the memory allocation library routines by simulating the unavailability of virtual memory. We could crash almost half of the programs that we tested in this way. october 1995 c copyright 2009 Security6.net, Henrik Lund Kramshøj 40
    • Fuzzers cat /dev/random ˚ Et program der kan give forskelligt fejlbehæftet input som maske kan identificere fejl Jeg anbefaler bogen Fuzzing: Brute Force Vulnerability Discovery Michael Sutton, Adam Greene, Pedram Amini og tilhørende website Se: http://www.fuzzing.org/fuzzing-software c copyright 2009 Security6.net, Henrik Lund Kramshøj 41
    • Fri adgang til hackerværktøjer I 1993 skrev Dan Farmer og Wietse Venema artiklen Improving the Security of Your Site by Breaking Into it I 1995 udgav de softwarepakken SATAN Security Administrator Tool for Analyzing Networks We realize that SATAN is a two-edged sword - like many tools, it can be used for good and for evil purposes. We also realize that intruders (including wannabees) have much more capable (read intrusive) tools than offered with SATAN. ˚ Traditionen med abenhed er ført videre helt til idag Se http://sectools.org og http://www.packetstormsecurity.org/ c copyright 2009 Security6.net, Henrik Lund Kramshøj 42
    • Part 6 Enhance and secure runtime environment ˚ Sidste chance er pa afviklingstidspunktet c copyright 2009 Security6.net, Henrik Lund Kramshøj 43
    • Chroot, Jails and ˚ Der findes mange typer jails pa Unix Ideer fra Unix chroot som ikke er en egentlig sikkerhedsfeature • Unix chroot - bruges stadig, ofte i daemoner som OpenSSH • FreeBSD Jails • SELinux • ˚ Solaris Containers og Zones - jails pa steroider • VMware virtuelle maskiner, er det et jail? ˚ Hertil kommer et antal andre mader at adskille processer - sandkasser ˚ Husk ogsa de simple, database som _postgresql, Tomcat som tomcat, Postfix ˚ postsystem som _postfix, SSHD som sshd osv. - simple brugere, fa rettigheder c copyright 2009 Security6.net, Henrik Lund Kramshøj 44
    • Defense in depth - flere lag af sikkerhed root skift til root kræver gruppe wheel sudo kræver kodeord SSHD kræver nøgler firewall tillader kun SSH fra bestemte IP Forsvar dig selv med flere lag af sikkerhed! c copyright 2009 Security6.net, Henrik Lund Kramshøj 45
    • JVM security policies Udviklet sammen med Java Meget kendt ˚ ˚ Bade Silverlight og JavaFX laner fra denne type model c copyright 2009 Security6.net, Henrik Lund Kramshøj 46
    • Apache 6.0.18 catalina.policy (uddrag) // ========== WEB APPLICATION PERMISSIONS ===================================== // These permissions are granted by default to all web applications // In addition, a web application will be given a read FilePermission // and JndiPermission for all files and directories in its document root. grant { // Required for JNDI lookup of named JDBC DataSource’s and // javamail named MimePart DataSource used to send mail permission java.util.PropertyPermission quot;java.homequot;, quot;readquot;; permission java.util.PropertyPermission quot;java.naming.*quot;, quot;readquot;; permission java.util.PropertyPermission quot;javax.sql.*quot;, quot;readquot;; ... }; // The permission granted to your JDBC driver // grant codeBase quot;jar:file:$catalina.home/webapps/examples/WEB-INF/lib/driver.jar!/-quot; { // permission java.net.SocketPermission quot;dbhost.mycompany.com:5432quot;, quot;connectquot;; // }; Eksempel fra apache-tomcat-6.0.18/conf/catalina.policy c copyright 2009 Security6.net, Henrik Lund Kramshøj 47
    • Apple sandbox named generic rules ;; named - sandbox profile ;; Copyright (c) 2006-2007 Apple Inc. All Rights reserved. ;; ;; WARNING: The sandbox rules in this file currently constitute ;; Apple System Private Interface and are subject to change at any time and ;; without notice. The contents of this file are also auto-generated and not ;; user editable; it may be overwritten at any time. ;; (version 1) (debug deny) (import quot;bsd.sbquot;) (deny default) (allow process*) (deny signal) (allow sysctl-read) (allow network*) c copyright 2009 Security6.net, Henrik Lund Kramshøj 48
    • Apple sandbox named specific rules ;; Allow named-specific files (allow file-write* file-read-data file-read-metadata (regex quot;ˆ(/private)?/var/run/named.pid$quot; quot;ˆ/Library/Logs/named.log$quot;)) (allow file-read-data file-read-metadata (regex quot;ˆ(/private)?/etc/rndc.key$quot; quot;ˆ(/private)?/etc/resolv.conf$quot; quot;ˆ(/private)?/etc/named.conf$quot; quot;ˆ(/private)?/var/named/quot;)) ˚ Eksempel fra /usr/share/sandbox pa Mac OS X c copyright 2009 Security6.net, Henrik Lund Kramshøj 49
    • Gode operativsystemer Nyere versioner af Microsoft Windows, Mac OS X og Linux distributionerne inkluderer: • Buffer overflow protection • Stack protection, non-executable stack • Heap protection, non-executable heap • Randomization of parameters stack gap m.v. ˚ OpenBSD er nok naet længst og et godt eksempel http://www.openbsd.org/papers/ NB: meget af dette kræver relativt ny CPU og Memory Management Unit ˚ NB: meget fa embedded systemer eller operativsystemer til samme har beskyttelse! c copyright 2009 Security6.net, Henrik Lund Kramshøj 50
    • Informationssikkerhed Husk følgende: Sikkerhed kommer fra langsigtede intiativer Hvad er informationssikkerhed? ˚ Data pa elektronisk form ˚ Data pa fysisk form Social engineering - The Art of Deception: Controlling the Human Element of Security af Kevin D. Mitnick, William L. Simon, Steve Wozniak Informationssikkerhed er en proces c copyright 2009 Security6.net, Henrik Lund Kramshøj 51
    • ˚ Spørgsmal? Henrik Lund Kramshøj hlk@security6.net http://www.security6.net ˚˚ I er altid velkomne til at sende spørgsmal pa e-mail c copyright 2009 Security6.net, Henrik Lund Kramshøj 52
    • FreeScan.dk - gratis portscanning http://www.freescan.dk c copyright 2009 Security6.net, Henrik Lund Kramshøj 53
    • Buffer overflows Hvis man vil lære at lave buffer overflows og exploit programmer er følgende doku- menter et godt sted at starte Smashing The Stack For Fun And Profit Aleph One Writing Buffer Overflow Exploits with Perl - anno 2000 Følgende bog kan ligeledes anbefales: The Shellcoder’s Handbook : Discovering and Exploiting Security Holes af Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte 2nd Edition , John Wiley & Sons, august 2007 ˚ NB: bogen er avanceret og saledes IKKE for begyndere! c copyright 2009 Security6.net, Henrik Lund Kramshøj 54
    • milw0rm - dagens buffer overflow http://milw0rm.com/ c copyright 2009 Security6.net, Henrik Lund Kramshøj 55
    • Metasploit Trinity brugte et exploit program Idag findes der samlinger af exploits som milw0rm Udviklingsværktøjerne til exploits er idag meget raffinerede! http://www.metasploit.com/ c copyright 2009 Security6.net, Henrik Lund Kramshøj 56
    • Reklamer: kursusafholdelse Følgende kurser afholdes med mig som underviser • IPv6 workshop - 1 dag Introduktion til Internetprotokollerne og forberedelse til implementering i egne netværk. • Wireless teknologier og sikkerhed workshop - 2 dage ˚ ˚ En dag med fokus pa netværksdesign og fornuftig implementation af tradløse netværk, samt inte- gration med hjemmepc og wirksomhedsnetværk. • Hacker workshop 2 dage Workshop med detaljeret gennemgang af hackermetoderne angreb over netværk, exploitprogram- mer, portscanning, Nessus m.fl. • Forensics workshop 2 dage ˚ ˚ Med fokus pa tilgængelige open source værktøjer gennemgas metoder og praksis af undersøgelse ˚ af diskimages og spor pa computer systemer • Moderne Firewalls og Internetsikkerhed 2 dage ˚ ˚ Informere om trusler og aktivitet pa Internet, samt give et bud pa hvorledes en avanceret moderne firewall idag kunne konfigureres. ˚ Se mere pa http://www.security6.net/courses.html c copyright 2009 Security6.net, Henrik Lund Kramshøj 57